DADI has rebranded to Edge. Find out more.

Edge SSL

Encrypted traffic across the internet is of fundamental importance to our collective and individual security and privacy. Here CTO Arthur Mingard talks about the approach taken in the Edge network to ensure security in data transport.

Lead article image

Encrypted traffic across the internet is of fundamental importance to our collective and individual security and privacy. Authentication credentials, sensitive financial data and private messaging are all key targets for attack. SSL encrypted traffic is so important that its absence significantly impacts SEO. Security is a key focus on the Edge network, and that’s why from the very beginning we chose to make network traffic fully encrypted by default.

Image

Generating a certificate requires some back-and-forth between the client server and the certificate authority, a sort of call and response that confirms proof of control for the domain. Each step of verification relies on previously transmitted data so typically the same server must be used throughout.

Image

With requests to the Gateway being load balanced, the likelihood of the CA’s response terminating at the origin Gateway is not guaranteed. LetsEncrypt does support DNS record verification for such circumstances, but that would require forcing clients to exclusively use the network as their Name Server, which is unnecessarily restrictive.

Image

Another option we explored was to create a temporary DNS lock, directing all requests to a single Gateway. Temporarily directing all traffic to a single production server risks creating potentially harmful load, increasing global latency for the domain in question, and creating bias in the payout mechanism by limiting contribution to a single contributor.

Image

With locking out of the question, we moved to exploring the option of distributing the certificate verification process. This would require the current terminating Gateway to distribute the certificate verification history across the network so that other Gateways can pick up where the previous Gateway left off. The autocert package has a cache interface, making it easy to build a custom getter/setter for previously obtained certificates and other account data. Using Consul Key/Value as an ephemeral store for the cache, the ACME (Automated Certificate Management Environment) becomes decentralised, allowing multiple Gateways to contribute towards the successful generation of a free certificate.

Image

After the certificate is generated and temporarily cached in Consul KV, the datacenter’s primary Stargate begins the process of migrating the payload to the network’s persisted certificate store, removing the original from Consul. Once migrated, it becomes visible to the wider network and is synchronized with each Consul datacenter by their respective primary Stargates.

And that’s it! The network now looks after the creation, renewal and distribution of free and secure SSL with zero maintenance, further simplifying the onboarding process and making all network traffic secure and encrypted as standard.

Related articles

More knowledge articles
Mail icon

Like what you are reading? Want to earn tokens by becoming an Edge Node? Save money on your hosting services? Build amazing digital products on top of Edge services? Join our mailing list.

To hear about our news, events, products and services, subscribe now. You can also indicate which services you are interested in, which we use for research and to inform the content that we send.

* You can unsubscribe at any time by emailing us at data@edge.network or by clicking on the unsubscribe link which can be found in our emails to you. Read our Privacy Policy.